security: bump solrengine to 0.2.0 + mount auth engine

Replaces the local SessionsController + sessions/new view with the
bundled Solrengine::Auth::Engine. The local controller had the SIWS
replay vulnerability — verifier only checked that the signed message
contained some nonce-looking string, never bound it to user.nonce.
solrengine-auth 0.2.0 fixes this at the verifier level (secure_compare
of expected_nonce:) and the bundled controller passes user.nonce to
it, so mounting the engine inherits the fix with no per-app plumbing.

- bundle update solrengine -> 0.2.0 (pulls auth 0.2.0 + programs 0.2.0)
- Delete app/controllers/sessions_controller.rb
- Delete app/views/sessions/new.html.erb
- Delete test/controllers/sessions_controller_test.rb (gem covers it)
- routes.rb: replace 4 explicit auth routes with
  mount Solrengine::Auth::Engine => "/auth", as: :solrengine_auth
- Swap login_path / logout_path / auth_nonce_path / auth_verify_path
  helpers to solrengine_auth.* in ApplicationController#authenticate!,
  pages/landing, dashboard/show
- authenticate! respond_to html (redirect) + json (401 + code) so
  agents don't get HTML redirects on expired sessions
- transfers_controller_test.rb: switch to absolute path strings for
  main-app routes. Rails' ActionDispatch::Integration::Session swaps
  its _routes context to the engine's after any request into the
  mounted engine, so both new_transfer_path and main_app.new_transfer_path
  start resolving to /auth/transfers/new. Using "/transfers/new"
  sidesteps the helper entirely.

Author: moviendome

Gemfile.lock

@@ -1,65 +1,65 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (8.0.4)
-      actionpack (= 8.0.4)
-      activesupport (= 8.0.4)
+    actioncable (8.0.5)
+      actionpack (= 8.0.5)
+      activesupport (= 8.0.5)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
       zeitwerk (~> 2.6)
-    actionmailbox (8.0.4)
-      actionpack (= 8.0.4)
-      activejob (= 8.0.4)
-      activerecord (= 8.0.4)
-      activestorage (= 8.0.4)
-      activesupport (= 8.0.4)
+    actionmailbox (8.0.5)
+      actionpack (= 8.0.5)
+      activejob (= 8.0.5)
+      activerecord (= 8.0.5)
+      activestorage (= 8.0.5)
+      activesupport (= 8.0.5)
       mail (>= 2.8.0)
-    actionmailer (8.0.4)
-      actionpack (= 8.0.4)
-      actionview (= 8.0.4)
-      activejob (= 8.0.4)
-      activesupport (= 8.0.4)
+    actionmailer (8.0.5)
+      actionpack (= 8.0.5)
+      actionview (= 8.0.5)
+      activejob (= 8.0.5)
+      activesupport (= 8.0.5)
       mail (>= 2.8.0)
       rails-dom-testing (~> 2.2)
-    actionpack (8.0.4)
-      actionview (= 8.0.4)
-      activesupport (= 8.0.4)
+    actionpack (8.0.5)
+      actionview (= 8.0.5)
+      activesupport (= 8.0.5)
       nokogiri (>= 1.8.5)
       rack (>= 2.2.4)
       rack-session (>= 1.0.1)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
       useragent (~> 0.16)
-    actiontext (8.0.4)
-      actionpack (= 8.0.4)
-      activerecord (= 8.0.4)
-      activestorage (= 8.0.4)
-      activesupport (= 8.0.4)
+    actiontext (8.0.5)
+      actionpack (= 8.0.5)
+      activerecord (= 8.0.5)
+      activestorage (= 8.0.5)
+      activesupport (= 8.0.5)
       globalid (>= 0.6.0)
       nokogiri (>= 1.8.5)
-    actionview (8.0.4)
-      activesupport (= 8.0.4)
+    actionview (8.0.5)
+      activesupport (= 8.0.5)
       builder (~> 3.1)
       erubi (~> 1.11)
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
-    activejob (8.0.4)
-      activesupport (= 8.0.4)
+    activejob (8.0.5)
+      activesupport (= 8.0.5)
       globalid (>= 0.3.6)
-    activemodel (8.0.4)
-      activesupport (= 8.0.4)
-    activerecord (8.0.4)
-      activemodel (= 8.0.4)
-      activesupport (= 8.0.4)
+    activemodel (8.0.5)
+      activesupport (= 8.0.5)
+    activerecord (8.0.5)
+      activemodel (= 8.0.5)
+      activesupport (= 8.0.5)
       timeout (>= 0.4.0)
-    activestorage (8.0.4)
-      actionpack (= 8.0.4)
-      activejob (= 8.0.4)
-      activerecord (= 8.0.4)
-      activesupport (= 8.0.4)
+    activestorage (8.0.5)
+      actionpack (= 8.0.5)
+      activejob (= 8.0.5)
+      activerecord (= 8.0.5)
+      activesupport (= 8.0.5)
       marcel (~> 1.0)
-    activesupport (8.0.4)
+    activesupport (8.0.5)
       base64
       benchmark (>= 0.3)
       bigdecimal
@@ -81,7 +81,7 @@ GEM
     bcrypt_pbkdf (1.1.2-arm64-darwin)
     bcrypt_pbkdf (1.1.2-x86_64-darwin)
     benchmark (0.5.0)
-    bigdecimal (4.0.1)
+    bigdecimal (4.1.2)
     bindex (0.8.1)
     bootsnap (1.23.0)
       msgpack (~> 1.2)
@@ -104,7 +104,7 @@ GEM
       railties (>= 6.1)
     drb (2.2.3)
     ed25519 (1.4.0)
-    erb (6.0.2)
+    erb (6.0.3)
     erubi (1.13.1)
     et-orbi (1.4.0)
       tzinfo
@@ -174,7 +174,7 @@ GEM
     mcp (0.8.0)
       json-schema (>= 4.1)
     mini_mime (1.1.5)
-    minitest (6.0.2)
+    minitest (6.0.4)
       drb (~> 2.0)
       prism (~> 1.5)
     msgpack (1.8.0)
@@ -231,46 +231,46 @@ GEM
       nio4r (~> 2.0)
     raabro (1.4.0)
     racc (1.8.1)
-    rack (3.2.5)
-    rack-session (2.1.1)
+    rack (3.2.6)
+    rack-session (2.1.2)
       base64 (>= 0.1.0)
       rack (>= 3.0.0)
     rack-test (2.2.0)
       rack (>= 1.3)
     rackup (2.3.1)
       rack (>= 3)
-    rails (8.0.4)
-      actioncable (= 8.0.4)
-      actionmailbox (= 8.0.4)
-      actionmailer (= 8.0.4)
-      actionpack (= 8.0.4)
-      actiontext (= 8.0.4)
-      actionview (= 8.0.4)
-      activejob (= 8.0.4)
-      activemodel (= 8.0.4)
-      activerecord (= 8.0.4)
-      activestorage (= 8.0.4)
-      activesupport (= 8.0.4)
+    rails (8.0.5)
+      actioncable (= 8.0.5)
+      actionmailbox (= 8.0.5)
+      actionmailer (= 8.0.5)
+      actionpack (= 8.0.5)
+      actiontext (= 8.0.5)
+      actionview (= 8.0.5)
+      activejob (= 8.0.5)
+      activemodel (= 8.0.5)
+      activerecord (= 8.0.5)
+      activestorage (= 8.0.5)
+      activesupport (= 8.0.5)
       bundler (>= 1.15.0)
-      railties (= 8.0.4)
+      railties (= 8.0.5)
     rails-dom-testing (2.3.0)
       activesupport (>= 5.0.0)
       minitest
       nokogiri (>= 1.6)
     rails-html-sanitizer (1.7.0)
       loofah (~> 2.25)
       nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
-    railties (8.0.4)
-      actionpack (= 8.0.4)
-      activesupport (= 8.0.4)
+    railties (8.0.5)
+      actionpack (= 8.0.5)
+      activesupport (= 8.0.5)
       irb (~> 1.13)
       rackup (>= 1.0.0)
       rake (>= 12.2)
       thor (~> 1.0, >= 1.2.2)
       tsort (>= 0.2)
       zeitwerk (~> 2.6)
     rainbow (3.1.1)
-    rake (13.3.1)
+    rake (13.4.2)
     rb-fsevent (0.11.2)
     rb-inotify (0.11.1)
       ffi (~> 1.0)
@@ -328,18 +328,18 @@ GEM
       fugit (~> 1.11)
       railties (>= 7.1)
       thor (>= 1.3.1)
-    solrengine (0.1.0)
-      solrengine-auth (~> 0.1)
-      solrengine-programs (~> 0.1)
+    solrengine (0.2.0)
+      solrengine-auth (~> 0.2)
+      solrengine-programs (~> 0.2)
       solrengine-realtime (~> 0.1)
       solrengine-rpc (~> 0.1)
       solrengine-tokens (~> 0.1)
       solrengine-transactions (~> 0.1)
-    solrengine-auth (0.1.0)
+    solrengine-auth (0.2.0)
       base58 (~> 0.2)
       ed25519 (~> 1.4)
       rails (>= 7.1)
-    solrengine-programs (0.1.0)
+    solrengine-programs (0.2.0)
       base58 (~> 0.2)
       borsh (~> 0.2)
       ed25519 (~> 1.3)

app/controllers/application_controller.rb

@@ -16,6 +16,10 @@ def logged_in?
   end
 
   def authenticate!
-    redirect_to login_path unless logged_in?
+    return if logged_in?
+    respond_to do |format|
+      format.html { redirect_to solrengine_auth.login_path }
+      format.json { render json: { error: "Not authenticated", code: "unauthenticated" }, status: :unauthorized }
+    end
   end
 end

app/controllers/sessions_controller.rb

@@ -30,7 +30,7 @@
         </button>
 
         <%# Disconnect %>
-        <%= button_to "Disconnect", logout_path, method: :delete, class: "text-gray-500 hover:text-white text-xs cursor-pointer transition-colors" %>
+        <%= button_to "Disconnect", solrengine_auth.logout_path, method: :delete, class: "text-gray-500 hover:text-white text-xs cursor-pointer transition-colors" %>
       </div>
     </div>
   </nav>

app/views/dashboard/show.html.erb

@@ -10,7 +10,7 @@
       </div>
       <div class="flex items-center gap-4">
         <a href="https://github.com/solrengine/wallet-train" target="_blank" class="text-gray-400 hover:text-white text-sm transition-colors">GitHub</a>
-        <%= link_to "Launch App", login_path, class: "bg-gradient-to-r from-purple-600 to-blue-600 hover:from-purple-500 hover:to-blue-500 text-white text-sm font-medium py-2 px-4 rounded-lg transition-all duration-200" %>
+        <%= link_to "Launch App", solrengine_auth.login_path, class: "bg-gradient-to-r from-purple-600 to-blue-600 hover:from-purple-500 hover:to-blue-500 text-white text-sm font-medium py-2 px-4 rounded-lg transition-all duration-200" %>
       </div>
     </div>
   </nav>
@@ -30,7 +30,7 @@
         </p>
 
         <div class="flex flex-wrap gap-4">
-          <%= link_to login_path, class: "inline-flex items-center gap-2 bg-gradient-to-r from-purple-600 to-blue-600 hover:from-purple-500 hover:to-blue-500 text-white font-semibold py-3 px-6 rounded-xl transition-all duration-200" do %>
+          <%= link_to solrengine_auth.login_path, class: "inline-flex items-center gap-2 bg-gradient-to-r from-purple-600 to-blue-600 hover:from-purple-500 hover:to-blue-500 text-white font-semibold py-3 px-6 rounded-xl transition-all duration-200" do %>
             <svg class="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
               <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
             </svg>

app/views/pages/landing.html.erb

@@ -2,11 +2,8 @@
   # Health check
   get "up" => "rails/health#show", as: :rails_health_check
 
-  # Authentication
-  get  "login",       to: "sessions#new",     as: :login
-  get  "auth/nonce",  to: "sessions#nonce",   as: :auth_nonce
-  post "auth/verify", to: "sessions#create",  as: :auth_verify
-  delete "logout",    to: "sessions#destroy",  as: :logout
+  # SIWS authentication — bundled controller from solrengine-auth.
+  mount Solrengine::Auth::Engine => "/auth", as: :solrengine_auth
 
   # Dashboard
   get "dashboard", to: "dashboard#show", as: :dashboard